b'               The Use of Personal Digital Assistants Poses\n                        Significant Security Risks\n\n                                     July 2004\n\n                       Reference Number: 2004-20-126\n\n\n\n\nThis report has cleared the Treasury Inspector General For Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                         WASHINGTON, D.C. 20220\n\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                            July 16, 2004\n\n\n       MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n\n       FROM:                  Gordon C. Milbourn III\n                              Acting Deputy Inspector General for Audit\n\n       SUBJECT:               Final Audit Report - The Use of Personal Digital Assistants\n                              Poses Significant Security Risks (Audit # 200420021)\n\n\n       This report presents the results of our review of controls over Personal Digital\n       Assistants (PDA). The overall objective of this review was to determine whether the\n       Internal Revenue Service (IRS) had implemented effective policies and procedures to\n       adequately control the purchase, distribution, and use of PDAs.\n       Since the early 1990s, PDAs have become increasingly popular due to their portability\n       and computing capabilities. PDAs can perform many of the same functions as laptop\n       computers, but they lack multiple security controls that are available for laptops and\n       other computers. The portability of PDAs and their capacity to store sensitive data pose\n       significant security risks for the IRS. To minimize the risks, the IRS requires that only\n       PDAs certified as having adequate security capabilities be purchased and that the Chief\n       Information Officer (CIO) approve all purchases.\n       In summary, the IRS has purchased 427 PDAs for key personnel who may be directly\n       involved in ensuring the continuity of operations during an emergency. These PDAs\n       encrypt data, were certified as secure, and were approved by the CIO.\n       However, the IRS has over 2,000 uncertified PDAs that can connect to the IRS network.\n       Without the approval of the CIO, business units purchased the PDAs as a business tool\n       for managers and employees to use while traveling. When synchronized to a network\n       computer, the PDAs provide a backdoor into the network and bypass many of the\n       existing security detection controls. Since these PDAs do not encrypt data, they could\n       provide access to sensitive information, such as taxpayer data, if lost or stolen.\n       We could not account for the PDAs that had been purchased by the business units\n       because the business units did not maintain inventories and distribution records for\n       these devices. As an alternative, we used IRS software that scanned the network to\n\x0c                                           2\n\nidentify computers depicting PDA synchronization software. We tested 125 computers\nin 4 locations and found that several employees and contractors had installed\nunauthorized software to allow them to connect their personal PDAs to the IRS network.\nSome PDAs contained unencrypted sensitive information, such as step-by-step\ninstructions for allowing access to large IRS databases containing taxpayer information\nand systems used to process travel vouchers.\nApproximately 85 percent of the employees in our sample did not make use of the\npassword feature available on their PDAs. In general, employees were not aware of the\nsensitivity of the information they had placed on their PDAs. None of the IRS\nemployees in our sample had been provided any information regarding the risks of\nusing PDAs and the controls necessary to reduce the risks.\nWe recommended the CIO establish firm procedures and time periods to either replace\nor upgrade PDAs with a solution certified by the Chief, Mission Assurance. Those\nPDAs that remain in use should be inventoried and monitored for compliance with\nsecurity controls. We also recommended that the CIO continue to scan the network to\nidentify and remove unauthorized synchronization software, and periodically remind\nemployees and contractors of the risks associated with PDAs and the procedures they\nshould take to minimize risk.\nManagement\xe2\x80\x99s Response: The CIO concurred with our recommendations and will\nimplement actions to ensure PDAs connected to the IRS network are in compliance with\nappropriate security controls. The CIO will select a security package that has password\nand encryption capabilities and establish a process for removing or replacing all\nuncertified PDAs on the IRS network.\nAlso, the End User Equipment and Services (EUES) organization will conduct a\nsemiannual scan of IRS networks to identify workstations that have synchronization\nsoftware and issue a report identifying the users and their locations. A member of the\nEUES staff will be assigned the responsibility of removing all unauthorized\nsynchronization software and uncertified PDAs from the IRS network. In addition,\nemployees and contractors will be informed about the risks associated with PDAs and\nthe prohibition against connecting personal equipment to the IRS Intranet and network.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg,\nAssistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\x0c                                The Use of Personal Digital Assistants Poses\n                                         Significant Security Risks\n\n\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nThe Internal Revenue Service Has Purchased and Distributed\nThousands of Uncertified Personal Digital Assistants ............................... Page 2\n         Recommendations 1 through 4: ...................................................... Page 6\n         Recommendation 5: ........................................................................ Page 7\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ....................... Page 8\nAppendix II \xe2\x80\x93 Major Contributors to This Report........................................ Page 10\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 11\nAppendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .................... Page 12\n\x0c             The Use of Personal Digital Assistants Poses\n                      Significant Security Risks\n\n                         Since the early 1990s, the Personal Digital Assistant (PDA)\nBackground\n                         has evolved from being a device of very limited function,\n                         compatibility, and capacity to being a highly functional\n                         extension of a user\xe2\x80\x99s desktop environment. Capacity,\n                         connection options, and processing power have all increased\n                         dramatically, while the applications and uses for PDAs are\n                         becoming increasingly complex. At the same time,\n                         decreasing prices and the increasing use of multifunction\n                         devices are helping fuel the rapid proliferation of PDAs.\n                         In spite of their popularity and potential productivity\n                         benefits, PDAs pose risks to an organization\xe2\x80\x99s security. The\n                         very portability that makes a PDA so useful and attractive to\n                         its users threatens security. It increases the PDA\xe2\x80\x99s\n                         vulnerability to theft or loss and makes it a highly portable\n                         tool for circumventing security from within an organization.\n                         A study showed approximately 250,000 handheld devices\n                         were left behind or lost in United States airports in 2001.1\n                         Most of those devices likely contained information useful to\n                         hackers and others with no need to know proprietary\n                         information.\n                         PDAs generally lack the security self-protection capabilities\n                         that are available for other computers, thereby causing\n                         concern over the protection of sensitive material\n                         downloaded to a PDA. When PDAs are purchased, user\n                         authentication is generally not enabled; if user\n                         authentication is enabled, it may be weak or easily\n                         circumvented. Also, information on PDAs is usually not\n                         automatically encrypted, making encryption the\n                         responsibility of the user.\n                         PDAs that offer wireless communication capabilities\n                         generally increase the security risk to organizations.\n                         Wireless transmissions may be intercepted and, if\n                         inadequately encrypted, reveal their contents. The cellular\n                         capabilities of some recent PDAs are a significant reason for\n                         concern. PDAs could be connected to an organization\xe2\x80\x99s\n                         network or a desktop computer and at the same time be\n                         connected to some nonsecure network, providing an\n                         unsecured conduit into the organization by circumventing\n\n\n                         1\n                          Richard Price, \xe2\x80\x9cThe PDA as a Threat Vector,\xe2\x80\x9d SANS Institute\n                         (March 2003).\n                                                                                        Page 1\n\x0c                     The Use of Personal Digital Assistants Poses\n                              Significant Security Risks\n\n                                 the organization\xe2\x80\x99s firewall. In addition, viruses and other\n                                 malicious software that attack the PDA itself are beginning\n                                 to emerge and can be expected to proliferate as the PDA\n                                 platform continues to become more compatible with, and\n                                 connected to, more common target systems.\n                                 This review was performed at the Internal Revenue\n                                 Service (IRS) National Headquarters in Washington D.C.,\n                                 and the IRS offices in New Carrollton, Maryland;\n                                 New York, New York; and Oakland, California, during the\n                                 period January through February 2004. We reviewed PDAs\n                                 in the Wage and Investment, Small Business/\n                                 Self-Employed, Large and Mid-Size Business, and Tax\n                                 Exempt and Government Entities Divisions and in the\n                                 Agency-Wide Shared Services function.\n                                 The audit was conducted in accordance with Government\n                                 Auditing Standards. Detailed information on our audit\n                                 objective, scope, and methodology is presented in\n                                 Appendix I. Major contributors to the report are listed in\n                                 Appendix II.\n                                 In May 2003, the Chief Information Officer (CIO)\nThe Internal Revenue Service     expressed concern over the proliferation of PDAs within the\nHas Purchased and Distributed    IRS, including both Federal Government and personally\nThousands of Uncertified         owned devices. The CIO believed actions were needed to\nPersonal Digital Assistants      establish control of the devices, manage the risks associated\n                                 with them, and enforce existing security prohibitions. To\n                                 minimize the risks, the IRS requires that only PDAs\n                                 certified as having adequate security capabilities be\n                                 purchased and that the CIO approve all purchases.\n                                 However, these procedures have not been effective in\n                                 adequately controlling the use of PDAs. We noted the\n                                 following conditions:\n                                    \xe2\x80\xa2   Purchases of PDAs were not properly authorized.\n                                    \xe2\x80\xa2   PDAs were not properly controlled and inventoried.\n                                    \xe2\x80\xa2   Employees did not follow security procedures when\n                                        using PDAs.\n                                 These conditions increase the risk that unauthorized persons\n                                 could access the IRS network to disrupt operations or steal\n                                 taxpayer information. Lost or stolen PDAs could also\n                                 provide access to unencrypted sensitive information.\n                                                                                       Page 2\n\x0cThe Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n            Purchases of PDAs were not properly authorized\n            The IRS permits the use of a PDA for any employee with a\n            business reason, provided the PDA is certified, accredited,\n            and capable of encrypting transmissions. The IRS has\n            purchased 427 PDAs for key personnel who may be directly\n            involved in ensuring the continuity of operations during an\n            emergency. These PDAs provide real-time email\n            capabilities, encrypt data, were certified as secure, and were\n            approved by the CIO as required.\n            However, the CIO estimates the IRS has over\n            2,000 uncertified PDAs that can connect to the IRS network.\n            Business units purchased the uncertified PDAs without the\n            prior approval of the CIO and bypassed existing procedures\n            to purchase PDAs for managers and employees to use while\n            traveling. We found no documentation that business units\n            assessed the security risks before purchasing the PDAs.\n            PDAs were not properly controlled and inventoried\n            We could not account for the PDAs that had been purchased\n            by the business units because the business units did not\n            maintain inventories and distribution records for these\n            devices. IRS inventory analysts stated that the cost of\n            individual PDAs was not considered substantial enough to\n            warrant creation of a PDA inventory.\n            IRS procedures require that all sensitive equipment be\n            inventoried, no matter the cost. Particularly because of their\n            inherent risks, PDAs should have been inventoried\n            regardless of costs.\n            Employees did not follow security procedures when\n            using PDAs\n            We judgmentally selected 125 computers in 4 locations that\n            had been identified as having PDA synchronization\n            software.2 We confirmed 88 employees had PDAs that were\n\n\n            2\n              Without the availability of a valid inventory, the IRS used TIVOLI\xc2\xae\n            software to scan the network and identified 2,565 computers with PDA\n            synchronization software installed. While this technique was the only\n            one available to locate PDAs, it was not accurate because the software\n            can only scan computers connected to the network at the time of the\n            scan.\n                                                                           Page 3\n\x0cThe Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n            used to access the IRS network.3 Several of the PDAs we\n            reviewed contained unencrypted sensitive but unclassified\n            data. For example, four PDAs contained sensitive IRS data,\n            such as step-by-step instructions for allowing access to large\n            IRS databases containing taxpayer information and systems\n            used to process travel vouchers. Another PDA stored a\n            100-page crisis communications plan that contained IRS\n            employee and building information. Other PDAs included\n            email attachments referencing a Limited Official Use\n            Memorandum of Understanding and a CIO database.\n            In our sample, 75 (85 percent) of 88 employees did not\n            make use of the password feature available on their PDAs.\n            In addition, many employees were generally not aware of\n            the sensitivity of the information, such as emails, that they\n            had placed on their PDAs. We learned that IRS PDA users\n            often set their PDA email function to automatically\n            download their inbox to the unsecured PDA each time they\n            connect to the network. This practice increased the risk that\n            sensitive data could be inadvertently placed on the PDA.\n            We determined that, in addition to those PDAs purchased by\n            the business units, employees and contractors had connected\n            their personal PDAs to the IRS network. Twelve IRS\n            employees or contractors were using personal PDAs, and\n            five employees or contractors had installed their own\n            synchronization software onto IRS computers. Three\n            employees or contractors had computers with unauthorized\n            wireless and/or cell phone software installed.\n            Also, we identified the following three potential integrity\n            issues that will be referred to the Treasury Inspector General\n            for Tax Administration Office of Investigations for further\n            review:\n\n\n\n\n            3\n              Although we sampled 125 computers, we confirmed that only\n            88 employees had PDAs. We believe the difference exists because\n            employees could have returned their PDAs without removing the\n            synchronization software, some employees may have never been issued\n            a PDA, and synchronization software could have been removed after we\n            selected our sample.\n                                                                         Page 4\n\x0cThe Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n               \xe2\x80\xa2   A contractor had self-installed synchronization\n                   software onto his or her desktop to enable the\n                   contractor to use an unauthorized PDA with this\n                   computer. The synchronization log indicated the\n                   contractor had downloaded two pornographic\n                   Internet web sites onto the PDA. In addition, the\n                   contractor had installed unauthorized software on\n                   this desktop that allowed him or her to communicate\n                   outside the IRS network via a modem, a high-risk\n                   practice specifically prohibited by the IRS. A\n                   telephone line had been connected directly to this\n                   desktop computer, indicating the contractor may\n                   have used the modem.\n               \xe2\x80\xa2   A contractor with synchronization software installed\n                   on his or her desktop claimed he or she never used\n                   the software. Upon review of the synchronization\n                   log, we noted synchronization occurred on\n                   September 3, 2003. The contractor stated he or she\n                   was on vacation at that time, left the PDA in the\n                   cradle, and did not know who used the desktop and\n                   synchronization software.\n               \xe2\x80\xa2   One laptop was loaned out to an employee without\n                   removal of the synchronization software, providing\n                   the employee the opportunity to connect a personal\n                   PDA or other unauthorized device to the laptop.\n            Business units did not provide employees with guidance on\n            how to use the PDAs in a secure manner. None of the IRS\n            employees in our sample were given any information\n            regarding the risks of using PDAs and the controls\n            necessary to reduce the risks.\n            In December 2003, the CIO sent a draft memorandum to the\n            business units reminding them of the security risks\n            associated with PDAs and the need to protect sensitive data.\n            The CIO encouraged business units to purchase the PDA\n            currently certified for use if real-time email capabilities\n            were required. For those employees not requiring that\n            capability, the CIO indicated uncertified PDAs currently in\n            use could continue to be used until a certified device could\n            replace them. No specific procedures or time periods were\n            provided for accomplishing these actions.\n\n                                                                 Page 5\n\x0cThe Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n            Recommendations\n\n            The CIO should:\n            1. Establish firm measures and time periods to either\n               replace or upgrade PDAs with a solution certified by the\n               Chief, Mission Assurance.\n            Management\xe2\x80\x99s Response: The CIO will select a security\n            package with password and encryption capabilities and\n            establish a process (including measures and time periods)\n            for removing or replacing existing PDAs on the network\n            that are not certified.\n            2. Inventory and monitor all PDAs in use for compliance\n               with security controls.\n            Management\xe2\x80\x99s Response: The Director, End User\n            Equipment and Services (EUES), has assigned a\n            Contracting Officer\xe2\x80\x99s Technical Representative to inventory\n            all PDAs now in use. The EUES organization will scan the\n            network to confirm that all PDAs connected to the network\n            comply with security controls.\n            3. Continue to scan the network to identify computers with\n               synchronization software and follow up to determine\n               whether personal PDAs are being used. Unauthorized\n               synchronization software should be removed from\n               networked computers.\n            Management\xe2\x80\x99s Response: The EUES organization will\n            conduct a semiannual scan of the IRS networks, identify the\n            workstations that have synchronization software, and issue a\n            report that matches the assigned user and location of the\n            workstation. The report will be distributed to the EUES\n            organization Area Directors, who will designate a staff\n            member to take appropriate action to remove all\n            unauthorized synchronization software and wireless devices\n            from the network.\n            4. Periodically remind employees and contractors that\n               connecting personal equipment, such as PDAs, to the\n               IRS network is prohibited.\n            Management\xe2\x80\x99s Response: The Modernization and\n            Information Technology Services organization will inform\n            employees and contractors, when it provides initial service,\n                                                                  Page 6\n\x0cThe Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n            that connecting personal equipment to the IRS Intranet and\n            network is prohibited. In addition, the Director of\n            Assurance Programs in the Office of Mission Assurance\n            incorporated PDA training in the Annual Security\n            Awareness Program for Calendar Year 2004, advising\n            employees that connecting personal equipment such as\n            PDAs to the IRS network is prohibited. This is ongoing\n            training that was scheduled to begin in late June 2004. The\n            Director of Assurance Programs will also coordinate with\n            the Procurement function in the Agency-Wide Shared\n            Services organization to identify the means to effectively\n            communicate reminders to contractors that connecting\n            personal equipment, such as PDAs, to the IRS network is\n            prohibited.\n            5. Provide training to those employees with authorized\n               PDAs and advise them of the risks associated with\n               PDAs. The training should address the need for using\n               passwords and encrypting sensitive data.\n            Management\xe2\x80\x99s Response: The EUES organization will\n            inform employees about the risks associated with PDAs\n            when it provides them with initial service. Also, the\n            Director of Assurance Programs has incorporated PDA\n            training in the Annual Security Awareness Program for\n            Calendar Year 2004. The training advises employees of the\n            associated risks and the need for using passwords and\n            encrypting sensitive data. Training was scheduled to begin\n            in late June 2004.\n\n\n\n\n                                                                 Page 7\n\x0c                        The Use of Personal Digital Assistants Poses\n                                Significant Security Risks\n\n                                                                                    Appendix I\n\n\n                      Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Internal Revenue\nService (IRS) had implemented effective policies and procedures to adequately control the\npurchase, distribution, and use of Personal Digital Assistants (PDA).\nI.     To determine whether IRS management had established sufficient policies, procedures,\n       and guidelines to ensure PDAs were used in a secure manner, we:\n       A. Reviewed all current policies and procedures to determine whether there were\n          specific criteria and standards for the use of PDAs and whether security controls\n          pertaining to sensitive but unclassified information and emails were adequate.\n       B. Evaluated the types of security risks PDA use poses to the IRS network.\n       C. Using TIVOLI\xc2\xae software to scan the IRS network, identified a population of\n          2,565 computers with PDA synchronization software installed and judgmentally\n          selected 4 IRS offices (sites) based on which locations had among the highest\n          numbers of computers with PDA software. We chose a judgmental sample for\n          efficiency and because we did not plan to project results. The four sites selected\n          were IRS Headquarters, Washington, D.C.; New Carrollton, Maryland;\n          New York, New York; and Oakland, California.\n       D. Interviewed End User Equipment and Services organization and Modernization and\n          Information Technology Services (MITS) organization Territory Managers at the four\n          sites to determine whether requirements for the use of PDAs were disseminated to\n          PDA users and whether PDA users had been provided training on the reduction of\n          risks relative to PDAs.\n       E. Judgmentally selected 30 computers at 3 sites and 35 at a fourth site, for a total of\n          125 computers, from the 2,565 computers identified by the TIVOLI\xc2\xae software and\n          confirmed that 88 of those employees and contractors still had PDAs. We\n          interviewed the 88 PDA users identified by the TIVOLI\xc2\xae scan at the 4 sites to\n          determine how they used PDAs and what information they stored on their PDAs. We\n          also evaluated their PDAs, synchronization software, and logs to determine what\n          PDA functions were used and whether sensitive but unclassified information was\n          stored on the PDAs.\nII.    To determine whether controls were adequate to account for all PDAs received and\n       distributed, we:\n       A. Interviewed MITS organization management and inventory analysts to determine\n          procedures and policies for tracking PDAs.\n\n                                                                                          Page 8\n\x0c                The Use of Personal Digital Assistants Poses\n                        Significant Security Risks\n\nB. Evaluated any available documentation for purchasing, tracking, or accounting for\n   PDA use.\n\n\n\n\n                                                                                Page 9\n\x0c                       The Use of Personal Digital Assistants Poses\n                               Significant Security Risks\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nGerald H. Horn, Audit Manager\nJody L. Kitazono, Senior Auditor\nAbraham Millado, Senior Auditor\nWilliam Simmons, Senior Auditor\n\n\n\n\n                                                                                         Page 10\n\x0c                      The Use of Personal Digital Assistants Poses\n                              Significant Security Risks\n\n                                                                     Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Mission Assurance OS:MA\nActing Director, Portfolio Management OS:CIO:R:PM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO:M\n       Chief, Mission Assurance OS:MA\n\n\n\n\n                                                                          Page 11\n\x0c The Use of Personal Digital Assistants Poses\n         Significant Security Risks\n\n                                                Appendix IV\n\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                     Page 12\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 13\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 14\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 15\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 16\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 17\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 18\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 19\n\x0cThe Use of Personal Digital Assistants Poses\n        Significant Security Risks\n\n\n\n\n                                               Page 20\n\x0c'